Solved

Is a Windows 2003 Terminal Service session secure without a VPN connection?

Posted on 2007-11-23
2
434 Views
Last Modified: 2013-11-21
I need to connect two small offices over basic cable broadband connections.  The staff in office A will have a Windows 2003 Server w/ Terminal Services to host a series of applications and files.  The staff in office B will log in via terminal services to their accounts and use the applications/files.  

Is the terminal service connection (from login to logout) secure so that a VPN connection is not needed?  Are there any printing gotchas/concerns over terminal services which I should prepare for?

Other details:
- offices will merge to one single office space in one year (this office to office connection is temporary)
- at times staff may log into terminal service session from home
- both offices currently only have basic cable broadband internet access
- all printing will be local to the office where the user is located (users in office B will need to be able to printers local to the office B network; users in office B will not need to print to office A printers)
- offices are not in line of sight and are 10 miles apart
0
Comment
Question by:dandacci
2 Comments
 
LVL 31

Accepted Solution

by:
Cláudio Rodrigues earned 500 total points
ID: 20341758
This is a question that people will debate all over and have different opinions on the answer. Here you have my own (and I know some here will probably bash me...).
RDP by itself is encrypted. The thing is, due to the way Microsoft implemented the encryption keys, it is subject to man in the middle attacks.
The thing is, all these years working with TS I am still to see one single customer that had a TS hacked when exposed to the internet. Not a single one.
So, do I think a VPN is needed? No.
You can implement, if you are paranoid, SecureRDP on the TS (freeware from 2X.com, that we developed before they acquired my company, Terminal-Services.NET) and customize the RDP client to have your own, unique version number and filter by that. Check this article I wrote:
http://www.msterminalservices.org/articles/Customizing-Microsoft-RDP-Client-Part1.html

And you can always install RecordTS on the terminal server (another software we wrote, now under my new company, TSFactory.com) and record everything that happens at the RDP level (in case you want to record someone trying to hack your TS).

For printing, a couple things to keep in mind:
1. Try to get a printer that is supported by native, out-of-the-box Windows Server 2003 drivers (meaning the drivers shipped with the OS, not requiring anything to be installed). These will work for sure.
2. Avoid host based printers (the ones that use the PC to do all the work normally done by the printer hardware).
3. Avoid as much as you can loading ANY printer driver on the TS UNLESS you have no other option.
4. Consider a product like UniPrint, SimplifyPrint or ThinPrint. They sure cost money BUT will save you a LOT of headaches with printing on TS.

And to wrap this up, TS is pretty good with bandwidth utilization BUT make sure your links are not heavily used for things like web browsing, email etc otherwise RDP will have to compete with everything else and performance will suffer.

Cheers,

Claudio Rodrigues
Microsoft MVP
Windows Server - Terminal Services

0
 

Author Closing Comment

by:dandacci
ID: 31410733
Thank you Claudio (tsmvp).  Your answer was clear and very helpful.  The printing might get tedious.  I will follow up on your suggestions.  Thank you again!!!
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

On a regular basis I get questions about slow RDP performance, RDP connection problems, strange errors and even BSOD, remote computers freezing or restarting after initiation of a remote session. In a lot of this cases the quick solutions made b…
Sometimes you have to pull out old tricks to get a new firewall to work… While we were installing a new Sonicwall at a customers site we found that sites they were able to visit before were not working.  It seemed random and we could not understa…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now